chore(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
@biomejs/biome (source)	2.4.7 → 2.4.8			devDependencies	patch
coverage	7.13.4 → 7.13.5			dependency-groups	patch
geekyeggo/delete-artifact	v5 → v6			action	major
npm-check-updates	19.6.3 → 19.6.5			devDependencies	patch
prek (source, changelog)	0.3.5 → 0.3.6			dependency-groups	patch
tombi	0.9.6 → 0.9.8			dependency-groups	patch	0.9.9
uv (source, changelog)	0.10.10 → 0.10.12			project.dependencies	patch

---

Release Notes

biomejs/biome (@​biomejs/biome)

v2.4.8

Compare Source

Patch Changes

• #​9488 bc709f6 Thanks @​mvanhorn! - Fixed #​9463: the "Biome found a configuration file outside of the current working directory" diagnostic now includes the configuration file path and the working directory, giving users actionable information to debug the issue.

• #​9527 2f8bf80 Thanks @​mdm317! - Fixed #​8959: Fixed TypeScript arrow function formatting when a comment appears after =>.

• #​9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleUpdateWithoutWhere to prevent accidental full-table updates when using Drizzle ORM without a .where() clause.

• #​9531 1302740 Thanks @​ematipico! - Fixed #​9187: Astro frontmatter containing regex literals with quotes (/'/, /"/) or dashes (/---/) no longer causes parse errors.

• #​9535 b630d93 Thanks @​leno23! - Fixed #​9524: remove extra space before > when bracketSameLine is true and the self-closing slash is absent in HTML formatter.

• #​9537 81e6306 Thanks @​ematipico! - Fixed #​9238: The HTML parser no longer incorrectly reports --- inside element content (e.g. <td>---</td>) as an "Unexpected value or character" error.

• #​9532 4b64145 Thanks @​ematipico! - Fixed #​9117: biome check --write no longer falsely reports Svelte and Vue files as changed when html.formatter.indentScriptAndStyle is enabled and the files are already correctly formatted.

• #​9528 61451ef Thanks @​ematipico! - Fixed #​9341: Fixed an LSP crash that could corrupt file content when saving with format-on-save enabled.

• #​9538 794f79c Thanks @​ematipico! - Fixed #​9279: The rule noSubstr now detects .substr() and .substring() calls in all expression contexts, including variable declarations, function arguments, return statements, and arrow function bodies.

• #​9462 c23272c Thanks @​ematipico! - Fixed #​9370: The resolver now correctly prioritizes more specific exports patterns over less specific ones. Previously, a pattern like "./*" could match before "./features/*", causing resolution failures for packages with overlapping subpath patterns.

• #​9515 f85c069 Thanks @​shivamtiwari3! - Fixed #​9506 and #​9479: Biome no longer reports false parse errors on <script type="speculationrules"> and <script type="application/ld+json"> tags. These script types contain non-JavaScript content and are now correctly skipped by the embedded language detector.

• #​9514 7fe43c8 Thanks @​ematipico! - Fixed #​6964: Biome now correctly resolves the .gitignore file relative to vcs.root when configured. Previously, the vcs.root setting was ignored and Biome always looked for the ignore file in the workspace directory.

• #​9521 af39936 Thanks @​ematipico! - Fixed #​9483. Now the rule noRedeclare doesn't panic when it encounters constructor overloads.

• #​9490 60cf024 Thanks @​willfarrell! - Added support for modern CSS properties, pseudo-classes, and pseudo-elements.

  New known properties: dynamic-range-limit, overlay, reading-flow, reading-order, scroll-marker-group, scroll-target-group.

  New pseudo-elements: ::checkmark, ::column, ::picker, ::picker-icon, ::scroll-button, ::scroll-marker, ::scroll-marker-group.

  New pseudo-classes: :active-view-transition-type, :has-slotted, :target-after, :target-before, :target-current.

• #​9526 4d42823 Thanks @​ematipico! - Fixed #​9358 and #​9375. Now attributes that have text expressions such as class={buttonClass()} are correctly tracked in Svelte files.

• #​9520 61f53ee Thanks @​ematipico! - Fixed #​9519. Now noUnusedVariables doesn't flag variables that are used as typeof type.

• #​9487 331dc0d Thanks @​mvanhorn! - Fixed #​9477: source.fixAll.biome no longer sorts imports when source.organizeImports.biome is disabled in editor settings. The organize imports action is now excluded from the fix-all pass unless explicitly requested.

• #​9525 e7b3b10 Thanks @​ViniciusDev26! - Added the rule noDrizzleDeleteWithoutWhere to prevent accidental full-table deletes when using Drizzle ORM without a .where() clause.

coveragepy/coveragepy (coverage)

v7.13.5

Compare Source

• Fix: issue 2138_ describes a memory leak that happened when repeatedly
  using the Coverage API with in-memory data. This is now fixed.

• Fix: the markdown-formatted coverage report didn't fully escape special
  characters in file paths (issue 2141). This would be very unlikely to
  cause a problem, but now it's done properly, thanks to Ellie Ayla <pull 2142_>.

• Fix: the C extension wouldn't build on VS2019, but now it does (issue 2145_).

.. _issue 2138: #​2138
.. _issue 2141: #​2141
.. _pull 2142: #​2142
.. _issue 2145: #​2145

.. _changes_7-13-4:

geekyeggo/delete-artifact (geekyeggo/delete-artifact)

v6

Compare Source

raineorshine/npm-check-updates (npm-check-updates)

v19.6.5

Compare Source

What's Changed

• fix(pnpm): fallback from pnpm.cmd to pnpm on Windows for non-standard installs by @​terminalchai in #​1606

New Contributors

• @​terminalchai made their first contribution in #​1606

Full Changelog: raineorshine/npm-check-updates@v19.6.3...v19.6.5

j178/prek (prek)

v0.3.6

Compare Source

Released on 2026-03-16.

Enhancements

• Allow selectors for hook ids containing colons (#​1782)
• Rename prek install-hooks to prek prepare-hooks and prek install --install-hooks to prek install --prepare-hooks (#​1766)
• Retry auth-failed repo clones with terminal prompts enabled (#​1761)

Performance

• Optimize detect_private_key by chunked reading and using aho-corasick (#​1791)
• Optimize fix_byte_order_marker by shifting file contents in place (#​1790)

Bug fixes

• Align stage defaulting behavior with pre-commit (#​1788)
• Make sure child output is drained in the PTY subprocess (#​1768)
• fix(golang): use GOTOOLCHAIN=local when probing system go (#​1797)

Documentation

• Disambiguate “hook” terminology by renaming "Git hooks" to "Git shims" (#​1776)
• Document compatibility with pre-commit (#​1767)
• Update configuration.md with TOML 1.1 notes (#​1764)

Other changes

• Sync latest identify tags (#​1798)

Contributors

• @​github-actions
• @​j178
• @​pcastellazzi
• @​deadnews
• @​copilot-swe-agent

tombi-toml/tombi (tombi)

v0.9.8

Compare Source

What's Changed

🚀 New Features

• feat: support fragment by @​ya7010 in #​1608

🛠️ Other Changes

• fix: update dependencies and enhance completion logic for Cargo.toml by @​ya7010 in #​1604
• fix: update SemVerRequirement to include examples in schema by @​ya7010 in #​1605
• fix: add logging for TOML AST parsing errors by @​ya7010 in #​1606
• Update: schema uri by @​ya7010 in #​1607

Full Changelog: tombi-toml/tombi@v0.9.7...v0.9.8

v0.9.7

Compare Source

What's Changed

🐛 Bug Fixes

• fix: terminal pop-up problem with vscode extension in Windows system by @​luo2430 in #​1600

🛠️ Other Changes

• docs: update installation guide to clarify type definition request behavior in Zed by @​ya7010 in #​1596
• doc: fix and move tombi.toml sample by @​ya7010 in #​1597
• ci: skip irrelevant GitHub Actions runs by @​ya7010 in #​1598
• refactor(vscode): extract node command check by @​ya7010 in #​1601

New Contributors

• @​luo2430 made their first contribution in #​1600

Full Changelog: tombi-toml/tombi@v0.9.6...v0.9.7

astral-sh/uv (uv)

v0.10.12

Compare Source

Released on 2026-03-19.

Python

• Add pypy 3.11.15 (#​18468)
• Add support for using Python 3.6 interpreters (#​18454)

Enhancements

• Include uv's target triple in version report (#​18520)
• Allow comma separated values in --no-emit-package (#​18565)

Preview features

• Show uv audit in the CLI help (#​18540)

Bug fixes

• Improve reporting of managed interpreter symlinks in uv python list (#​18459)
• Preserve end-of-line comments on previous entries when removing dependencies (#​18557)
• Treat abi3 wheel Python version as a lower bound (#​18536)
• Detect hard-float support on aarch64 kernels running armv7 userspace (#​18530)

Documentation

• Add Python 3.15 to supported versions (#​18552)
• Adjust the PyPy note (#​18548)
• Move Pyodide to Tier 2 in the Python support policy (#​18561)
• Move Rust and Python version support out of the Platform support policy (#​18535)
• Update Docker guide with changes from uv-docker-example (#​18558)
• Update the Python version policy (#​18559)

v0.10.11

Compare Source

Released on 2026-03-16.

Enhancements

• Fetch Ruff release metadata from an Astral mirror (#​18358)
• Use PEP 639 license metadata for uv itself (#​16477)

Performance

• Improve distribution id performance (#​18486)

Bug fixes

• Allow --project to refer to a pyproject.toml directly and reduce to a warning on other files (#​18513)
• Disable SYSTEM_VERSION_COMPAT when querying interpreters on macOS (#​18452)
• Enforce available distributions for supported environments (#​18451)
• Fix uv sync --active recreating active environments when UV_PYTHON_INSTALL_DIR is relative (#​18398)

Documentation

• Add missing -o requirements.txt in uv pip compile example (#​12308)
• Link to organization security policy (#​18449)
• Link to the AI policy in the contributing guide (#​18448)

---

Configuration

📅 Schedule: Branch creation - "before 4am on monday" in timezone UTC, Automerge - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone UTC.

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pyproject.toml

Artifact update for tombi resolved to version 0.9.9, which is a pending version that has not yet passed the Minimum Release Age threshold.
Renovate was attempting to update to 0.9.8
This is (likely) not a bug in Renovate, but due to the way your project pins dependencies, _and_ how Renovate calls your package manager to update them.
Until Renovate supports specifying an exact update to your package manager (https://github.com/renovatebot/renovate/issues/41624), it is recommended to directly pin your dependencies (with `rangeStrategy=pin` for apps, or `rangeStrategy=widen` for libraries)
See also: https://docs.renovatebot.com/dependency-pinning/

[sonarqubecloud]

❌ The last analysis has failed.

See analysis details on SonarQube Cloud